vulnerability assessment tools
For a basic DIY (Do-it-yourself) information security vulnerability assessment, the following FOSS tools often come handy.
- Nmap
- available in GUI and CLI for both Linux/UNIX and Windows platforms.
- nessus vulnerability scanner
- Currently the server is supported only on Linux/Unix platform only. GUI client is available. Command line equivalent is available for task scheduling and such.
- Pretty client GUI is also available on Windows and other platforms.
- Do sign up (free!) and update the vulnerability signature database before a scan.
If you have the need and the budget to analyze the web application in depth, the following two commercial products are top of the line.
- Appscan
- a trial version of AppScan is available but kinda useless, since it scan only something like demo.watchfire.com. If I were you, I wouldn’t bother to download next time around.
- 3-day license, or full-license, or an auditor’s license is available directly from watchfire.com
- Or, pay firms focusing on address the need for outsourced information security to do it for you.
- WebInspect
- ready to provide a test account for it to log onto to pages restricted to only autheniticated users.
- make some basic Apache securing and hardening before the scan. Otherwise it would have too much to report
A lot can be done for secure coding practice. Code audit tools definitely help.
